PDF malware analysis — malicious · 35561a496b255f9f

MALICIOUS

PDF

826.1 KB Created: 2009-10-22 17:27:05 +04:00 Authoring application: formTookYou (via f8580959e35cb0934479bb007fb241c2)

MD5: b3acba7f2ef81427d97c5eb71f373a30 SHA-1: e855995e16b7f60fa321fdc2743874dd8cb7a650 SHA-256: 35561a496b255f9f389819fadb48abbf7b0fd60db66295cf060d3008f4b8dbd8

66 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript/JScript

The PDF contains embedded JavaScript and JavaScript actions, indicating an attempt to execute code upon opening. The ML classifier strongly flagged this PDF as malicious. While the exact script functionality is not detailed, its presence suggests a downloader or exploit execution.

Machine Learning

Nyx PDF Classifier malicious score 0.8730

Heuristics 4

JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 21

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_093_off00084af6.bin` `bf78fdf22997090ca93619d9d77915da176e754e8792cd80b1f40a2947c09e17`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x84AF6	8803 bytes
`icc_00_off0000a27d.icc` `2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e`	pdf-icc-profile	PDF ICC profile at offset 0xA27D	3144 bytes
`font_00_cff_off00001ec3.bin` `38f4ddd32e736897982ced0858b49da07a104e846d0946b9789f4ef370f99eb2`	pdf-font-stream	PDF embedded font (cff) at offset 0x1EC3	357 bytes
`font_01_cff_off0000236c.bin` `2789af23995f8af33b2dae091e9b962494e0b8b0e898fada623820ee9686b3ca`	pdf-font-stream	PDF embedded font (cff) at offset 0x236C	499 bytes
`font_02_cff_off00002899.bin` `755b31802bfcbe5da85fa3b6417005821fa046390579475e59a1b7e221fd17f2`	pdf-font-stream	PDF embedded font (cff) at offset 0x2899	2550 bytes
`font_03_cff_off000035e7.bin` `eb7fc9a0f6b5c973d758c18668889ef5241421e8108bf894a9400ecd0930c40c`	pdf-font-stream	PDF embedded font (cff) at offset 0x35E7	3369 bytes
`font_04_cff_off00004590.bin` `ce12ce1ce9ee146def1a9a0aa879316c8283c74b0dab40de60412666b768231d`	pdf-font-stream	PDF embedded font (cff) at offset 0x4590	2951 bytes
`font_05_cff_off000053c5.bin` `650743b0083f4117eafe6d934f210cd07b94d118b25ed99f041916d1b6f42ac7`	pdf-font-stream	PDF embedded font (cff) at offset 0x53C5	5979 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.40, consistent with packed or encrypted content.
`font_06_cff_off00006c45.bin` `91487fd16b17d83908b1ba219ae597731b7158e968667787a056b1d4df0de59a`	pdf-font-stream	PDF embedded font (cff) at offset 0x6C45	1949 bytes
`font_07_cff_off00007858.bin` `cf4944c56c01f4a65c36b5010c12128ca3ddbe0e6806e8b147a7b04453bfa751`	pdf-font-stream	PDF embedded font (cff) at offset 0x7858	6612 bytes
`font_08_cff_off00009479.bin` `c5675bd2f2b586cbf48ee24f95e1cf91eec1b4928c28c92220efce9ec4db3e29`	pdf-font-stream	PDF embedded font (cff) at offset 0x9479	3996 bytes
`font_09_sfnt_off0000cafe.bin` `2722878b19761e7a433e1ca6f32e7f9fe9cccce4136877b3beb9040f23bd4b18`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCAFE	23432 bytes
`font_10_sfnt_off000100d5.bin` `80383e85181b7288bd3f68d71356b7e2ef2e1f0ba00d93e81908469c104a18d9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x100D5	52108 bytes
`font_11_sfnt_off000187bd.bin` `336a7a084a76c025a84d5a8cbd6080db9a267cde0e24fe672acabed56b19aa8d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x187BD	48764 bytes
`font_12_cff_off0008353b.bin` `3f42af993e3b418bb55eafa50355049fa944bec6e6f195d43c51d16349b90807`	pdf-font-stream	PDF embedded font (cff) at offset 0x8353B	5386 bytes
`font_14_cff_off00086c97.bin` `cd3cd1d9c56377c2495eda4114f5abfea8573f7de3266c2a4b2da46be18eda49`	pdf-font-stream	PDF embedded font (cff) at offset 0x86C97	7758 bytes
`font_15_cff_off00088969.bin` `514f1280bb6f708d0f30af5480342acfa7696bdc7687e31ddefd4597bb3411a1`	pdf-font-stream	PDF embedded font (cff) at offset 0x88969	4975 bytes
`font_16_cff_off0008b59d.bin` `96b3d4b0414c6ed3c7d43fcf72b21437be7138497c6e08df5bf9bf1afb35caf6`	pdf-font-stream	PDF embedded font (cff) at offset 0x8B59D	13118 bytes
`font_17_cff_off0008e1d0.bin` `60972574e1b85c03bb2e6823ecd92372f6c53e7635f5ff2aabd4cce99b8639fa`	pdf-font-stream	PDF embedded font (cff) at offset 0x8E1D0	8182 bytes
`font_18_cff_off000922b4.bin` `6a8a434ff15f2f63eb377b04544048bafc5988b852a77df09c032f7f41149419`	pdf-font-stream	PDF embedded font (cff) at offset 0x922B4	4685 bytes
`font_19_cff_off000b8698.bin` `16c548e98aa9a9c2a01bbd9c5552201f3ae98aa541a458bdaccd2b5d874099b7`	pdf-font-stream	PDF embedded font (cff) at offset 0xB8698	1210 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.